Permissions Needed for Custom Onboarding App
The permissions needed by your custom app will depend on how you intend to use Secure Cloud Access with Microsoft 365:
- Monitor only - You will use Secure Cloud Access to monitor your users’ Microsoft 365 activity.
- Monitor and detect - You will use Secure Cloud Access to monitor your users’ Microsoft 365 activity and detect unauthorized usage.
-
Monitor, detect, and enforce - You will also use Secure Cloud Access to take actions on policy violations.
You need these permissions for each scenario.
Function Scope Permissions needed Monitor only Microsoft 365 without Teams graph:Application:AuditLog.Read.All graph:Delegated:AuditLog.Read.All graph:Application:Application.Read.All mgmt:Delegated:ActivityFeed.Read graph:Delegated:Directory.Read.All graph:Application.User.Read.All graph:Delegated.User.Read.All graph:Application.Group.Read.All graph:Application.GroupMember.Read.All graph:Application.Sites.Read.All graph:Application.Directory.Read.AllMicrosoft 365 with Teams All permissions above, and:
graph:Delegated:Chat.Read graph:Application:Chat.Read.All graph:Application:Channel.ReadBasic.All graph:Application:ChannelMessage.Read.All graph:Application:ChannelSettings.Read.All graph:Application:ChatMember.Read.AllMonitor and detect Microsoft 365 without Teams graph:Application:AuditLog.Read.All graph:Delegated:AuditLog.Read.All graph:Application:Application.Read.All mgmt:Delegated:ActivityFeed.Read graph:Application:Files.Read.All graph:Delegated:Files.Read.All graph:Application:Sites.Read.All graph:Application:User.Read.All graph:Delegated:User.Read.All graph:Application:Group.Read.All graph:Application:GroupMember.Read.All graph:Delegated:Directory.Read.All graph:Application:Directory.Read.All graph:Application:Organization.Read.All sharepoint:Application:Sites.Read.AllMicrosoft 365 with Teams All permissions above, and: graph:Delegated:Chat.Read graph:Application:Chat.Read.All graph:Application:Channel.ReadBasic.All graph:Application:ChannelMessage.Read.All graph:Application:ChannelSettings.Read.AllMonitor, detect, and enforce Microsoft 365 without Teams graph:Application:AuditLog.Read.All graph:Delegated:AuditLog.Read.All graph:Application:Application.Read.All mgmt:Delegated:ActivityFeed.Read graph:Application:User.Read.All graph:Delegated:User.Read.All graph:Application:Organization.Read.All sharepoint:Application:Sites.FullControl.All sharepoint:Application:TermStore.Read.All graph:Delegated:Sites.Manage.All graph:Application:Sites.Manage.All graph:Application:Directory.ReadWrite.All graph:Delegated:Directory.ReadWrite.All graph:Delegated:Reports.Read.All graph:Application:GroupMember.ReadWrite.All graph:Delegated:Group.ReadWrite.All graph:Application:Group.ReadWrite.All graph:Application:Files.ReadWrite.Allgraph:Delegated:Files.ReadWrite.AllMicrosoft 365 with Teams All permissions above, and:
graph:Application:Channel.ReadBasic.All graph:Application:ChannelMessage.Read.All graph:Delegated:Chat.ReadWrite graph:Delegated:ChannelMessage.Send graph:Delegated:ChatMember.ReadWrite graph:Application:Chat.ReadWrite.All graph:Application:Chat.UpdatePolicyViolation.All graph:Application:ChannelMessage.UpdatePolicyVio lation.All graph:Application:ChannelSettings.ReadWrite.All graph:Application:ChatMember.ReadWrite.All
